403 Forbidden vs 404 Not Found
403 denies access to an existing resource. 404 indicates path does not exist or is intentionally hidden.
| Aspect | 403 Forbidden | 404 Not Found |
|---|---|---|
| When it happens | Emitted when conditions specific to 403 forbidden occur. | Emitted when conditions specific to 404 not found occur. |
| How to tell apart | Identify which layer emitted the code and inspect headers/logs for that layer. | Confirm whether problem is auth/policy, upstream quality, overload, or timeout. |
| Troubleshooting first step | Trace request ID through edge and application logs. | Check deploy/config changes and dependency health in same time window. |
| Practical note | Do not mask this response with generic handlers. | Return explicit headers like Retry-After or auth challenge when relevant. |
When each appears in production
Use CDN/proxy logs to find emission point, then app logs/traces to isolate root cause.
Troubleshooting workflow
Validate routing, policy, and timeout budgets in order. Fix the first failing layer before tuning client retries.
Related guides: 403 Forbidden · 404 Not Found